SlideShare a Scribd company logo
1 of 41
Download to read offline
OWASP BENELUX - 2011
The Rise of
Vulnerability Markets
- History, Impacts,
Mitigations
Thierry Zoller
EMEA Practice Lead
Threat and Vulnerability
Management
OWASP BENELUX - 2011
Agenda
 Brief Introduction
 Me, Myself and I
 Small Announcement & Plug
 The history and rise of the “Vulnerability Markets”
 Crash course - Typical Vulnerability Lifecycle
 The history behind the shift to Vulnerability Markets
 Difference of Eco-Systems
 Vulnerability Market Prices and Value
 The split up between Mass and Targeted Attacks
 The implications
 Attacker Class Model (Old vs. New)
 The resulting impacts on the threat landscape and defensive mechanisms /
compensating controls
 Proposal : Use OWASP ASVS (align it to ISO/IEC 27034-1:2011) and adjust
development and audit requirements around Assurance Levels
OWASP BENELUX - 2011
Me, Myself and I
 Thierry Zoller
 Born and raised in Luxembourg
 EMEA Practise Lead for the Verizon Business
“Threat and Vulnerability Management” Practice
 Former Director of Product Security and Security Service @ n.runs
 Leading the SDLC Efforts EMEA Wide /
Microsoft SDL Pro Network Partnership
 Act as a Application Security Subject Matter Expert
 My analysis of several 0-Day vulnerabilities are referenced by multiple CERTs (US-
CERT, FI-CERT, FR-CERT) and Vulnerability Management Solutions (Qualys,etc)
 Discovered, reported and coordinated hundreds of Vulnerabilities in Software ranging from
Oracle, Apple, Microsoft, Checkpoint to McAfee
 Endorsed as a TOP 10 security researcher 2009 by IBM X-Force
OWASP BENELUX - 2011
Who are we ? (that’s the plug)
 Who the heck is Verizon Business ?
 Part of Verizon
 Security Branch is a buy in from Cybertrust (Ubizen), Netsec
(Defcom),
 Global IP Network (2700+ Cities, 150+ Countries,
200+ Datacenters, 4000+ Managed customer
networks)
 4 SOCs Worldwide
 280.000 employees worldwide (VZ)
 Quick Verizon Business Luxembourg PSF - Facts
 We exist.
 Full Professional Service Capability (GRC, TVM, NIS, BR..)
 Full SDLC capability
 EMEA Forensic Lab is located in Luxembourg
 SOC and Datacenter in LU / MSS 24/24 in LU (PSF)
OWASP BENELUX - 2011
Partnership (That’s the announcement)
 Announcement : Verizon Business Luxembourg is now part and leading the
Microsoft SDL Pro Network Partnership EMEA Wide
 Partnership to be formally announced soon
OWASP BENELUX - 2011
Threat Intelligence
The basis of this talk :
 Constantly Monitoring the Threat Landscape
 Empirical data / Empirical Risk Management
 Intelligence sources : OSINT, Data breach Report,
Underground Monitoring, Forensic Investigations,
Security Research, SOC, our CERTs
 Vulnerability Market Prices :
 Jason Steer (Private survey amongst Sellers)
 Charlie Miller (Public)
 Internal Research (Private survey amongst Buyers,
Trusted Contacts)
 General Inspiration : Dan Guido
 Disclaimer: This presentation will cover what we factually know
exists, assumptions will be explicitly stated as such.
OWASP BENELUX - 2011
Introduction
Introduction
OWASP BENELUX - 2011
Definitions
 Notation used during this Presentation
 Vulnerability
 “A defect/bug that allows an external entity/agent to directly or indirectly influence the
availability, reliability, confidentiality or integrity of a system/application/data ”
 Exploit / Proof of Concept
 “ A program that makes use of a vulnerability to deliver a harmless payload such as a
crash”
 Weaponised Exploit
 “ A program that has been developed to deliver a particular payload suited for a
particular range of target “ (Stuxnet, Custom Payloads)
OWASP BENELUX - 2011
Quick Recap 2000-2011
 Quick Recap 2000-2011
 Mass Malware Market
 Exploit Kits, Botnets
 Identity Theft, Banking Theft
 “Pay to Install” schemes
 Commercial Vulnerability Market Emerged
 Core Impact, Canvas
 Secunia, Vupen, iDefense, Securiteam
 Targeted Attacks on the rise
 Stuxnet, RSA Secureid, Northrop, Duqu (etc.)
 Multiple zero days, highly targeted nature points to a sophisticated state founded
attacker
 Hacktivists
OWASP BENELUX - 2011
Attacker Classes and Model
• The premise for this talk
• Attacker Classes / Attacker Pyramid
• Concentrate on 2 most prominent
classes for this talk
1
2
Name → Attacker Class
Surface Area → Amount
Targeting
Opportunists
Examples : Hacktivists
Targeted
Examples : Professional
“Hackers”, Digital Mercenaries
Opportunists
Examples : Script Kiddies, Mass
Malware, Worms, Bots,
State founded
Examples : APT, Industrial
Espionnage / Nations
OWASP BENELUX - 2011
Attacker Classes and Model
Name → Attacker Class
Surface Area → Amount
Targeting
Opportunists
Examples : Hacktivists
Targeted
Examples : Professional
“Hackers”, Digital Mercenaries
Opportunists
Examples : Script Kiddies, Mass
Malware, Worms, Bots,
State founded
Examples : APT, Industrial
Espionnage / Nations
Money / Physical
Assets of Value
Name -> Business Asset
Surface Area -> Value to the Business
Credentials /
Identities / Money
Examples : Customer Data,
Banking Data
Intellectual Property / Data
Examples : RSA, Northrop, Stuxnet
Reputation /
Damage / Insurance
Examples : Sony
OWASP BENELUX - 2011
Evolution of the Vulnerability Markets
Source: Melanie Weidner
OWASP BENELUX - 2011
Evolution of the Vulnerability Markets
• How did those 4 classes emerge ?
• Introduction to the Vulnerability Lifecycle
• Introduction
• The evolution of the “Market”
• The Split
• Follow the money
• Examples
OWASP BENELUX - 2011
Vulnerability Lifecycle
• Standard Vulnerability Lifecycle
Information is publicInformation is not public
DiscoveryCreation Notification Disclosure Patch installedPatch availabiltiy
Unknown Third party Vendor / PublicKnown unknown
Inspired by: Frei, Plattner, Trammel
OWASP BENELUX - 2011
Risk Phases in Vulnerability Lifecycle
 Pre-Disclosure Risk
 Possibility of re-discovery/cross discovery
(by malicious entity)
 Known unknown - Customers at Risk / Vendor at Risk
 Post-Disclosure Risk
 Possibility that vendor silently fixes the vulnerability
 Possibility of re-discovery
 Customer at risk (not aware of any vulnerability, hence any risk)
 Post-Patch Risk
 Time Window between awareness and patch deployment
 Faulty patch
Information is publicInformation is not public
Discovery Notifcation Patch installed
Pre-Disclosure Risk Post-Disclosure Risk Post-Patch risk
Patch availabiltiyDisclosure
“ For the three years between 2002 &
2004, at least [..] 8.47% of credited
vulnerabilities were found to have
been independently rediscovered during
the relatively short time frame in which
Microsoft worked on a patch.”
Source: University of Cambridge
OWASP BENELUX - 2011
The shift to Vulnerability Markets
 Quick Summary :
 It takes time, effort and knowledge to find security issues
in commercial products
It is most often not something you just stumble upon.
(“Oh look there we have a vulnerability”)
 Vendors often demand proof that the bug is indeed a security
vulnerability or fix it silently (or not at all)
Depending on the bug class that alone can take days or entire weeks
 Enterprises are more and more dependant on IT Systems
 Value of assets and data increased
 Value of vulnerabilities increased in parallel
 There is an imbalance between the effort of the work by the
“discoverer” vs. the value of the vulnerability
 Market theory suggests that demand and offer automatically create an equilibrium in
unbalanced Ecosystems.
No different for this particular market / ecosystem
Value of Vulnerabilites
Discovery Effort
Cost/Effort
Time
* Totally non scientific graph..
OWASP BENELUX - 2011
The shift to Vulnerability Markets
 The early days (95-2004)
 Exploits circulated underground (Private)
 Often driven by ego and skill
 Leaked very often mostly used for private
enjoyment
 Mid 2000 – Commercial
 Vendors buy vulnerabilities, coordinate and publish
 iDefense started VPC in 2003
 Tipping Point ZDI started in 2005
Vendors are informed, there is pubic disclosure
and there is a patch
 Late 2000 – “Black Market”
 Trade of Vulnerabilities
 Government entities buy unknown vulnerabilities
 Often must be in weaponised state
 Sometimes they popup (Stuxnet)
 This market is not a myth it exists and flourishes
Vendors are not informed, the public is not informed, there is no patch
“ Between 2003 and 2007 7.5% of
vulnerabilities affecting Microsoft and Apple
were processed by ZDI or VPC “
Time
The inevitable happened :
“ ? “
OWASP BENELUX - 2011
The shift to Vulnerability Markets
 Today
 Companies offer access to exploit code for known vulnerabilities
(Exploit Hub, Vupen, Secunia ..)
 Companies offer access to root cause analysis of vulnerabilities (Secunia, Vupen, ..
 Commercial exploit frameworks (Canvas, Core Impact, Exploit Packs)
 Specialised companies produce Weaponised exploits by brokering and
augmenting vulnerabilities they buy from “researchers”
 Non transparent Market of unknown/unpatched vulnerabilities
 Conclusion :
 Importance of SKILL as a factor to measure attacker sophistication decreased :
 Factors that increased in importance : Motivation, Funding and hence sophistication
Time
Skill
* Another totally non scientific graph..
OWASP BENELUX - 2011
The shift to Vulnerability Markets
Skill
* Another totally non scientific graph..
 Vupen offer - Credits actually equals cash
OWASP BENELUX - 2011
The split
Name → Attacker Class
Surface Area → Amount
Targeting
Opportunists
Examples : Anonymous
Targeted
Examples : Professional Hackers
Digital Mercenaries
Opportunists
Examples : Script Kiddies, Mass
Malware, Worms, Bots,
State founded
Examples : APT, Industrial
Espionnage / Nations
1
2
Name → Attacker Class
Surface Area → Amount
Targeting
Opportunists
Examples : Anonymous
Targeted
Examples : Professional Hackers
Digital Mercenaries
Opportunists
Examples : Script Kiddies, Mass
Malware, Worms, Bots,
State founded
Examples : APT, Industrial
Espionnage / Nations
1
2
Evolution
Money / Physical
Assets of Value
Name -> Business Asset
Surface Area -> Value to the Business
Credentials /
Identities / Money
Examples : Customer Data,
Banking Data
Intellectual Property / Data
Examples : RSA, Northrop, Stuxnet
Reputation /
Damage / Insurance
Examples : Sony
OWASP BENELUX - 2011
1 - State founded
 Example: Government Agency
 Discovery
 Details of flaw submitted to middle-man
 Middle-Man submits to review to XYZ
 Middle-Man comes back with price proposal
 Formal contract is signed
 Exploit is fine-tuned
 Delivery of exploit + payload
 30 MD buffer (reduces risk for middle-man)
 Money transferred
• Middle Man reduces risk for end buyer. Who can often not
directly buy from foreign or other wise non trusted sources.
Information is publicInformation is not public
DiscoveryCreation Exploit Disclosure Patch installedPatch availabiltiy
Unknown Third party Vendor / PublicKnown unknown
Public Log (Source: Charlie Miller)
Date Action
6/05 Vulnerability discovered.
11/07/05 Submitted to prepub review at NSA.
7/27/06 Approved for release by prepub review.
7/27/06 Offered to government.
8/10/06 Verbally agreed to $80K conditional deal.
8/11/06 Exploit given for evaluation.
8/25/06 Hash of exploit published.
8/28/06 Agreed to lesser amount.
9/8/06 Paid. Name → Attacker Class
Surface Area → Amount
Targeting
Opportunists
Examples : Anonymous
Targeted
Examples : Professional Hackers
Digital Mercenaries
Opportunists
Examples : Script Kiddies, Mass
Malware, Worms, Bots,
State founded
Examples : APT, Industrial
Espionnage / Nations
1
1
OWASP BENELUX - 2011
1 - State founded
Value – How is value being determined ?
• This slide had an Form used to estimate value by a certain company.
This slide is intentionally left blank
OWASP BENELUX - 2011
1 - State founded
Summary : How is value being determined
• Popularity of OS and Application
• Reliability of Exploit
• Complexity of Access (Remote, Local)
• Privilege Level obtained (root, admin, user) / Integrity Level gained
• Sandbox bypass and exploit mitigation bypass capability
• Tactical or Strategical Operations planned or ongoing (“Operations” as in Military speak)
• Special cases likely dealt with on a case by case basis
• (“We need an exploit for XYZ for Operation “Stuxnet” now..”)
OWASP BENELUX - 2011
1 - The shift of Vulnerability Markets
Prices – What prices are being paid ?
 Who pays the most :
1. Governments (Direct Buyer)
2. Commercial (ZDI, VPC..)
3. Organised Crime
 Survey based on input of 25 vulnerability sellers :
Source: unifysecurityresearch survey (based upon 25 vulnerability sellers) – Analysis by Jason Steer
Above 30K USD
Stay unknown with
no Patch
OWASP BENELUX - 2011
1 - The shift of Vulnerability Markets
Prices – More Data
• Probably unreliable Dataset :
Vulnerability/Exploit Value Source
“Some exploits” $200,000 - $250,000 Gov’t official referring to what
”some people” pay
Significant, reliable exploit $125,000 Adriel Desautels, SNOSoft
Internet Explorer $60,000 - $120,000 H.D. Moore
Vista exploit $50,000 Raimund Genes, Trend Micro
“Weaponized exploit” $20,000-$30,000 David Maynor, SecureWorks
ZDI, iDefense purchases $2,000-$10,000 David Maynor, SecureWorks
WMF exploit $4000 Alexander Gostev, Kaspersky
Microsoft Excel $1200 Ebay auction site
Vendors offer :
Google up to $3177 Google bug bounty program
Facebook up to $1000 Facebook bug bounty program
Mozilla $500 Mozilla bug bounty program
Microsoft 0$
Data Source: Charlie Miller + small parts Zoller
OWASP BENELUX - 2011
1 - The shift of Vulnerability Markets
Intelligence Feedback
 This slide included examples of zero-day vulnerabilities for which we have strong
evidence to suggest that they have been sold
This slide is intentionally left blank
OWASP BENELUX - 2011
1 - The shift of Vulnerability Markets
Intelligence Feedback
This slide is intentionally left blank
OWASP BENELUX - 2011
1 - The Consequences
Your IPS
Your SIEM
Your AV
Your Firewall
Their 0-Day
Patch Management
OWASP BENELUX - 2011
The split
Name → Attacker Class
Surface Area → Amount
Targeting
Opportunists
Examples : Anonymous
Targeted
Examples : Professional Hackers
Digital Mercenaries
Opportunists
Examples : Script Kiddies, Mass
Malware, Worms, Bots,
State founded
Examples : APT, Industrial
Espionnage / Nations
1
2
Name → Attacker Class
Surface Area → Amount
Targeting
Opportunists
Examples : Anonymous
Targeted
Examples : Professional Hackers
Digital Mercenaries
Opportunists
Examples : Script Kiddies, Mass
Malware, Worms, Bots,
State founded
Examples : APT, Industrial
Espionnage / Nations
1
2
Evolution
Money / Physical
Assets of Value
Name -> Business Asset
Surface Area -> Value to the Business
Credentials /
Identities / Money
Examples : Customer Data,
Banking Data
Intellectual Property / Data
Examples : RSA, Northrop, Stuxnet
Reputation /
Damage / Insurance
Examples : Sony
OWASP BENELUX - 2011
2 - Mass Market
 Example: Organised Crime
 Interested in the Mass
 Mass infection, Mass theft of Credentials
 Increases the likelihood that an exploit works
 Rarely buy 0day, but pick up that is left behind
 Increase chances of compromise through
mass distribution
 Interested in compromising lot of hosts
 Create Botnets / Infect Hosts
 Spam
 Steal identities and money
 Steal banking credentials
 Data shows that they are Opportunists (They are after the Mass)
2
Name → Attacker Class
Surface Area → Amount
Targeting
Opportunists
Examples : Anonymous
Targeted
Examples : Professional Hackers
Digital Mercenaries
Opportunists
Examples : Script Kiddies, Mass
Malware, Worms, Bots,
State founded
Examples : APT, Industrial
Espionnage / Nations
2
OWASP BENELUX - 2011
2 – Mass Market
2
2
OWASP BENELUX - 2011
2 - Mass Market
• Total number of Vulnerabilities (2010, Est.)
• To avoid Mass malware like “SpyEye, Zeus, Gozi...” you needed to address the
following amount of Vulnerabilities :
Rawdatasource:Contagio
AnalysisinspiredbyDanGuido
2009 20112010
OWASP BENELUX - 2011
2 - Mass Market
Raw Data source: Contagio
* includes different versions
1 1
4 3
15 15
10
19
24
4
0
5
10
15
20
25
2000 2003 2004 2005 2006 2007 2008 2009 2010 2011
Total # of unique Vulnerabilities in 54* Exploit kits
OWASP BENELUX - 2011
Summary
We can conclude that, there are differences in motivations, sophistication
and typical targets groups:
OWASP BENELUX - 2011
The implications
 We may not like it, yet we have to face the fact the threat landscape has
changed and this poses a concern for those that have to defend against it.
 “Penetrate and Patch” is not adequate (it has never been)
 Defenses must be :
 Designed and built around the assumption that they fail (Sandbox, Exploit mitigation)
 Built around the concept of “Reduced attack surface”
 Have multiple layers of generic defence mechanisms (sandboxes)
 Limit the impact of vulnerabilities
 Reduce the likelihood of successful exploitation
 Raise the bar (more effort required)
 Work generically and not as a one time fix (patch)
OWASP BENELUX - 2011
Mitigations / Consequences
 Adapt you Governance approach to the new Threat Landscape
 One option: An Attacker Centric Model
 Create a Model around different Threat Agents and Classes :
 Decide on which classes of Attackers you want
to protect an Asset against (Business Value,
using as example the Attacker Pyramid)
 Adapt Audit requirements (Assurance Concept) and
Development requirements (SDLC) to the level above
 Adapt Framework to the changes
 Contractually enforce SDLC when in-sourcing s
oftware development
 Benefits : Less money “wasted” on assets of low value, more flexibility, better time to
market.
 Benefits : Higher Assurance on Assets that are worth protecting
 This is in line with ISO/IEC 27034-1:2011
Name → Attacker Class
Surface Area → Amount
Targeting
Opportunists
Examples : Hacktivists
Targeted
Examples : Professional
“Hackers”, Digital Mercenaries
Opportunists
Examples : Script Kiddies, Mass
Malware, Worms, Bots,
State founded
Examples : APT, Industrial
Espionnage / Nations
OWASP BENELUX - 2011
Mitigations / Consequences
 Example : OWASP Application Security Verification Standard
 4 Verification Levels, released in 2009
 Currently appears to have a low adoption rate
 We strongly recommend to look into it
 Depending on the Verification Level the Scope,
Requirements and controls change according to the
targeted Verification Level
 Uses a “Positive” approach to verification
 Exhaustive list of controls to check for on each level
 Allows for remediation plans to meet Verification Standard after initial test
 Quick retesting possible
 Detailed Reporting Guidelines
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_S
tandard_Project
OWASP BENELUX - 2011
Mitigations / Consequences
 Attacker centric risk management
 May revolve around the concept of Assurance Level
 Depending on the Level of Assurance against a certain type of attacker,
a different set of requirements, controls and scope are required to be
covered.
 Let’s face it - there is no assurance in an automated Web application Scan,
and there is only some assurance in a manual Web application Test.
 Benefits :
 Budget assurance at an early stage
 Suitable Level of Assurance per Application
 Permits Risk based management on Applications/Architectures
 Mature way of Assessing Security of Applications
OWASP BENELUX - 2011
Mitigations / Consequences
• For Web Applications, the concept could look like :
39
Assurance Level 1
Automated
Manual
(Verification of
Automated findings only)
TechniquesScope
Manual Inspection
Level 1
+
Assurance Level 2 Assurance Level 3
Level 2
+
Database Audit
Source Code Review
Assurance Level 4
Architectural Review
Level 3
+
OWASP BENELUX - 2011
Mitigations / Consequences
• (cont.)
40
Assurance Level 1
Automated
Manual
(Verification of
Automated findings only)
TechniquesScope
Manual Inspection
Level 1
+
Assurance Level 2 Assurance Level 3
Level 2
+
Database Audit
Source Code Review
Assurance Level 4
Architectural Review
Level 3
+
Suitable to provide
Assurance against :
Unsophisticated
Opportunistic Attackers
Limitations :
Does not cover
application Logic
Suitable to provide
Assurance against :
Targeting
Opportunists such as
attackers with open
source attack tools.
Suitable to provide
Assurance against :
Determined attackers
who are skilled and
motivated focusing on
specific targets including
using purpose-built
attack tools
Suitable to provide
Assurance against :
Determined and
Professional Attackers –
Potentially State funded
Attackers
OWASP BENELUX - 2011
Thank you for
your Attention

More Related Content

Similar to The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thierry Zoller - OWASP BENELUX

Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Jeremy Brown
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
Verisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesVerisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...FaithWestdorp
 
Kaspersky North American Virus Analyst Summit
Kaspersky North American Virus Analyst SummitKaspersky North American Virus Analyst Summit
Kaspersky North American Virus Analyst SummitPR Americas
 
Cyber security innovation imho
Cyber security innovation imhoCyber security innovation imho
Cyber security innovation imhoW Fred Seigneur
 
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaLuca Moroni ✔✔
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Building Catastrophe Models using Open Data and Open Source
Building Catastrophe Models using Open Data and Open SourceBuilding Catastrophe Models using Open Data and Open Source
Building Catastrophe Models using Open Data and Open SourceChris Ewing
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Luca Moroni ✔✔
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk ReportAngela Gunn
 
F5 Networks- Why Legacy Security Systems are Failing
F5 Networks- Why Legacy Security Systems are FailingF5 Networks- Why Legacy Security Systems are Failing
F5 Networks- Why Legacy Security Systems are FailingGlobal Business Events
 

Similar to The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thierry Zoller - OWASP BENELUX (20)

Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011Open Source and Security: Engineering Security by Design - Prague, December 2011
Open Source and Security: Engineering Security by Design - Prague, December 2011
 
White Hat 6 March 2015 v2.2
White Hat 6 March 2015 v2.2White Hat 6 March 2015 v2.2
White Hat 6 March 2015 v2.2
 
White hat march15 v2.2
White hat march15 v2.2White hat march15 v2.2
White hat march15 v2.2
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
 
Verisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence ServicesVerisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence Services
 
Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...
 
Kaspersky North American Virus Analyst Summit
Kaspersky North American Virus Analyst SummitKaspersky North American Virus Analyst Summit
Kaspersky North American Virus Analyst Summit
 
Cyber security innovation imho
Cyber security innovation imhoCyber security innovation imho
Cyber security innovation imho
 
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
 
Building Catastrophe Models using Open Data and Open Source
Building Catastrophe Models using Open Data and Open SourceBuilding Catastrophe Models using Open Data and Open Source
Building Catastrophe Models using Open Data and Open Source
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report
 
Info sec 12 v1 2
Info sec 12 v1 2Info sec 12 v1 2
Info sec 12 v1 2
 
F5 Networks- Why Legacy Security Systems are Failing
F5 Networks- Why Legacy Security Systems are FailingF5 Networks- Why Legacy Security Systems are Failing
F5 Networks- Why Legacy Security Systems are Failing
 

More from Thierry Zoller

BLtouch marlin configuration
BLtouch marlin configurationBLtouch marlin configuration
BLtouch marlin configurationThierry Zoller
 
Neo coolcam - smart-plug user guide v2 - Zwave
Neo coolcam  - smart-plug user guide v2 - ZwaveNeo coolcam  - smart-plug user guide v2 - Zwave
Neo coolcam - smart-plug user guide v2 - ZwaveThierry Zoller
 
Cansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthCansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthThierry Zoller
 
Heise Security - Scheunentor Bluetooth
Heise Security - Scheunentor BluetoothHeise Security - Scheunentor Bluetooth
Heise Security - Scheunentor BluetoothThierry Zoller
 
23c3 Bluetooth hacking revisited
23c3 Bluetooth hacking revisited23c3 Bluetooth hacking revisited
23c3 Bluetooth hacking revisitedThierry Zoller
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usThierry Zoller
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.Thierry Zoller
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseThierry Zoller
 
SSL Audit - The SSL / TLS Scanner
SSL Audit -  The SSL / TLS ScannerSSL Audit -  The SSL / TLS Scanner
SSL Audit - The SSL / TLS ScannerThierry Zoller
 
The TLS/SSLv3 renegotiation vulnerability explained
The TLS/SSLv3 renegotiation vulnerability explainedThe TLS/SSLv3 renegotiation vulnerability explained
The TLS/SSLv3 renegotiation vulnerability explainedThierry Zoller
 

More from Thierry Zoller (11)

BLtouch marlin configuration
BLtouch marlin configurationBLtouch marlin configuration
BLtouch marlin configuration
 
Neo coolcam - smart-plug user guide v2 - Zwave
Neo coolcam  - smart-plug user guide v2 - ZwaveNeo coolcam  - smart-plug user guide v2 - Zwave
Neo coolcam - smart-plug user guide v2 - Zwave
 
Cansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthCansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depth
 
Heise Security - Scheunentor Bluetooth
Heise Security - Scheunentor BluetoothHeise Security - Scheunentor Bluetooth
Heise Security - Scheunentor Bluetooth
 
23c3 Bluetooth hacking revisited
23c3 Bluetooth hacking revisited23c3 Bluetooth hacking revisited
23c3 Bluetooth hacking revisited
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to us
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash Course
 
SSL Audit - The SSL / TLS Scanner
SSL Audit -  The SSL / TLS ScannerSSL Audit -  The SSL / TLS Scanner
SSL Audit - The SSL / TLS Scanner
 
The TLS/SSLv3 renegotiation vulnerability explained
The TLS/SSLv3 renegotiation vulnerability explainedThe TLS/SSLv3 renegotiation vulnerability explained
The TLS/SSLv3 renegotiation vulnerability explained
 

Recently uploaded

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligencePrecisely
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdfMuhammad Subhan
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 

Recently uploaded (20)

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial IntelligenceRevolutionizing SAP® Processes with Automation and Artificial Intelligence
Revolutionizing SAP® Processes with Automation and Artificial Intelligence
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 

The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thierry Zoller - OWASP BENELUX

  • 1. OWASP BENELUX - 2011 The Rise of Vulnerability Markets - History, Impacts, Mitigations Thierry Zoller EMEA Practice Lead Threat and Vulnerability Management
  • 2. OWASP BENELUX - 2011 Agenda  Brief Introduction  Me, Myself and I  Small Announcement & Plug  The history and rise of the “Vulnerability Markets”  Crash course - Typical Vulnerability Lifecycle  The history behind the shift to Vulnerability Markets  Difference of Eco-Systems  Vulnerability Market Prices and Value  The split up between Mass and Targeted Attacks  The implications  Attacker Class Model (Old vs. New)  The resulting impacts on the threat landscape and defensive mechanisms / compensating controls  Proposal : Use OWASP ASVS (align it to ISO/IEC 27034-1:2011) and adjust development and audit requirements around Assurance Levels
  • 3. OWASP BENELUX - 2011 Me, Myself and I  Thierry Zoller  Born and raised in Luxembourg  EMEA Practise Lead for the Verizon Business “Threat and Vulnerability Management” Practice  Former Director of Product Security and Security Service @ n.runs  Leading the SDLC Efforts EMEA Wide / Microsoft SDL Pro Network Partnership  Act as a Application Security Subject Matter Expert  My analysis of several 0-Day vulnerabilities are referenced by multiple CERTs (US- CERT, FI-CERT, FR-CERT) and Vulnerability Management Solutions (Qualys,etc)  Discovered, reported and coordinated hundreds of Vulnerabilities in Software ranging from Oracle, Apple, Microsoft, Checkpoint to McAfee  Endorsed as a TOP 10 security researcher 2009 by IBM X-Force
  • 4. OWASP BENELUX - 2011 Who are we ? (that’s the plug)  Who the heck is Verizon Business ?  Part of Verizon  Security Branch is a buy in from Cybertrust (Ubizen), Netsec (Defcom),  Global IP Network (2700+ Cities, 150+ Countries, 200+ Datacenters, 4000+ Managed customer networks)  4 SOCs Worldwide  280.000 employees worldwide (VZ)  Quick Verizon Business Luxembourg PSF - Facts  We exist.  Full Professional Service Capability (GRC, TVM, NIS, BR..)  Full SDLC capability  EMEA Forensic Lab is located in Luxembourg  SOC and Datacenter in LU / MSS 24/24 in LU (PSF)
  • 5. OWASP BENELUX - 2011 Partnership (That’s the announcement)  Announcement : Verizon Business Luxembourg is now part and leading the Microsoft SDL Pro Network Partnership EMEA Wide  Partnership to be formally announced soon
  • 6. OWASP BENELUX - 2011 Threat Intelligence The basis of this talk :  Constantly Monitoring the Threat Landscape  Empirical data / Empirical Risk Management  Intelligence sources : OSINT, Data breach Report, Underground Monitoring, Forensic Investigations, Security Research, SOC, our CERTs  Vulnerability Market Prices :  Jason Steer (Private survey amongst Sellers)  Charlie Miller (Public)  Internal Research (Private survey amongst Buyers, Trusted Contacts)  General Inspiration : Dan Guido  Disclaimer: This presentation will cover what we factually know exists, assumptions will be explicitly stated as such.
  • 7. OWASP BENELUX - 2011 Introduction Introduction
  • 8. OWASP BENELUX - 2011 Definitions  Notation used during this Presentation  Vulnerability  “A defect/bug that allows an external entity/agent to directly or indirectly influence the availability, reliability, confidentiality or integrity of a system/application/data ”  Exploit / Proof of Concept  “ A program that makes use of a vulnerability to deliver a harmless payload such as a crash”  Weaponised Exploit  “ A program that has been developed to deliver a particular payload suited for a particular range of target “ (Stuxnet, Custom Payloads)
  • 9. OWASP BENELUX - 2011 Quick Recap 2000-2011  Quick Recap 2000-2011  Mass Malware Market  Exploit Kits, Botnets  Identity Theft, Banking Theft  “Pay to Install” schemes  Commercial Vulnerability Market Emerged  Core Impact, Canvas  Secunia, Vupen, iDefense, Securiteam  Targeted Attacks on the rise  Stuxnet, RSA Secureid, Northrop, Duqu (etc.)  Multiple zero days, highly targeted nature points to a sophisticated state founded attacker  Hacktivists
  • 10. OWASP BENELUX - 2011 Attacker Classes and Model • The premise for this talk • Attacker Classes / Attacker Pyramid • Concentrate on 2 most prominent classes for this talk 1 2 Name → Attacker Class Surface Area → Amount Targeting Opportunists Examples : Hacktivists Targeted Examples : Professional “Hackers”, Digital Mercenaries Opportunists Examples : Script Kiddies, Mass Malware, Worms, Bots, State founded Examples : APT, Industrial Espionnage / Nations
  • 11. OWASP BENELUX - 2011 Attacker Classes and Model Name → Attacker Class Surface Area → Amount Targeting Opportunists Examples : Hacktivists Targeted Examples : Professional “Hackers”, Digital Mercenaries Opportunists Examples : Script Kiddies, Mass Malware, Worms, Bots, State founded Examples : APT, Industrial Espionnage / Nations Money / Physical Assets of Value Name -> Business Asset Surface Area -> Value to the Business Credentials / Identities / Money Examples : Customer Data, Banking Data Intellectual Property / Data Examples : RSA, Northrop, Stuxnet Reputation / Damage / Insurance Examples : Sony
  • 12. OWASP BENELUX - 2011 Evolution of the Vulnerability Markets Source: Melanie Weidner
  • 13. OWASP BENELUX - 2011 Evolution of the Vulnerability Markets • How did those 4 classes emerge ? • Introduction to the Vulnerability Lifecycle • Introduction • The evolution of the “Market” • The Split • Follow the money • Examples
  • 14. OWASP BENELUX - 2011 Vulnerability Lifecycle • Standard Vulnerability Lifecycle Information is publicInformation is not public DiscoveryCreation Notification Disclosure Patch installedPatch availabiltiy Unknown Third party Vendor / PublicKnown unknown Inspired by: Frei, Plattner, Trammel
  • 15. OWASP BENELUX - 2011 Risk Phases in Vulnerability Lifecycle  Pre-Disclosure Risk  Possibility of re-discovery/cross discovery (by malicious entity)  Known unknown - Customers at Risk / Vendor at Risk  Post-Disclosure Risk  Possibility that vendor silently fixes the vulnerability  Possibility of re-discovery  Customer at risk (not aware of any vulnerability, hence any risk)  Post-Patch Risk  Time Window between awareness and patch deployment  Faulty patch Information is publicInformation is not public Discovery Notifcation Patch installed Pre-Disclosure Risk Post-Disclosure Risk Post-Patch risk Patch availabiltiyDisclosure “ For the three years between 2002 & 2004, at least [..] 8.47% of credited vulnerabilities were found to have been independently rediscovered during the relatively short time frame in which Microsoft worked on a patch.” Source: University of Cambridge
  • 16. OWASP BENELUX - 2011 The shift to Vulnerability Markets  Quick Summary :  It takes time, effort and knowledge to find security issues in commercial products It is most often not something you just stumble upon. (“Oh look there we have a vulnerability”)  Vendors often demand proof that the bug is indeed a security vulnerability or fix it silently (or not at all) Depending on the bug class that alone can take days or entire weeks  Enterprises are more and more dependant on IT Systems  Value of assets and data increased  Value of vulnerabilities increased in parallel  There is an imbalance between the effort of the work by the “discoverer” vs. the value of the vulnerability  Market theory suggests that demand and offer automatically create an equilibrium in unbalanced Ecosystems. No different for this particular market / ecosystem Value of Vulnerabilites Discovery Effort Cost/Effort Time * Totally non scientific graph..
  • 17. OWASP BENELUX - 2011 The shift to Vulnerability Markets  The early days (95-2004)  Exploits circulated underground (Private)  Often driven by ego and skill  Leaked very often mostly used for private enjoyment  Mid 2000 – Commercial  Vendors buy vulnerabilities, coordinate and publish  iDefense started VPC in 2003  Tipping Point ZDI started in 2005 Vendors are informed, there is pubic disclosure and there is a patch  Late 2000 – “Black Market”  Trade of Vulnerabilities  Government entities buy unknown vulnerabilities  Often must be in weaponised state  Sometimes they popup (Stuxnet)  This market is not a myth it exists and flourishes Vendors are not informed, the public is not informed, there is no patch “ Between 2003 and 2007 7.5% of vulnerabilities affecting Microsoft and Apple were processed by ZDI or VPC “ Time The inevitable happened : “ ? “
  • 18. OWASP BENELUX - 2011 The shift to Vulnerability Markets  Today  Companies offer access to exploit code for known vulnerabilities (Exploit Hub, Vupen, Secunia ..)  Companies offer access to root cause analysis of vulnerabilities (Secunia, Vupen, ..  Commercial exploit frameworks (Canvas, Core Impact, Exploit Packs)  Specialised companies produce Weaponised exploits by brokering and augmenting vulnerabilities they buy from “researchers”  Non transparent Market of unknown/unpatched vulnerabilities  Conclusion :  Importance of SKILL as a factor to measure attacker sophistication decreased :  Factors that increased in importance : Motivation, Funding and hence sophistication Time Skill * Another totally non scientific graph..
  • 19. OWASP BENELUX - 2011 The shift to Vulnerability Markets Skill * Another totally non scientific graph..  Vupen offer - Credits actually equals cash
  • 20. OWASP BENELUX - 2011 The split Name → Attacker Class Surface Area → Amount Targeting Opportunists Examples : Anonymous Targeted Examples : Professional Hackers Digital Mercenaries Opportunists Examples : Script Kiddies, Mass Malware, Worms, Bots, State founded Examples : APT, Industrial Espionnage / Nations 1 2 Name → Attacker Class Surface Area → Amount Targeting Opportunists Examples : Anonymous Targeted Examples : Professional Hackers Digital Mercenaries Opportunists Examples : Script Kiddies, Mass Malware, Worms, Bots, State founded Examples : APT, Industrial Espionnage / Nations 1 2 Evolution Money / Physical Assets of Value Name -> Business Asset Surface Area -> Value to the Business Credentials / Identities / Money Examples : Customer Data, Banking Data Intellectual Property / Data Examples : RSA, Northrop, Stuxnet Reputation / Damage / Insurance Examples : Sony
  • 21. OWASP BENELUX - 2011 1 - State founded  Example: Government Agency  Discovery  Details of flaw submitted to middle-man  Middle-Man submits to review to XYZ  Middle-Man comes back with price proposal  Formal contract is signed  Exploit is fine-tuned  Delivery of exploit + payload  30 MD buffer (reduces risk for middle-man)  Money transferred • Middle Man reduces risk for end buyer. Who can often not directly buy from foreign or other wise non trusted sources. Information is publicInformation is not public DiscoveryCreation Exploit Disclosure Patch installedPatch availabiltiy Unknown Third party Vendor / PublicKnown unknown Public Log (Source: Charlie Miller) Date Action 6/05 Vulnerability discovered. 11/07/05 Submitted to prepub review at NSA. 7/27/06 Approved for release by prepub review. 7/27/06 Offered to government. 8/10/06 Verbally agreed to $80K conditional deal. 8/11/06 Exploit given for evaluation. 8/25/06 Hash of exploit published. 8/28/06 Agreed to lesser amount. 9/8/06 Paid. Name → Attacker Class Surface Area → Amount Targeting Opportunists Examples : Anonymous Targeted Examples : Professional Hackers Digital Mercenaries Opportunists Examples : Script Kiddies, Mass Malware, Worms, Bots, State founded Examples : APT, Industrial Espionnage / Nations 1 1
  • 22. OWASP BENELUX - 2011 1 - State founded Value – How is value being determined ? • This slide had an Form used to estimate value by a certain company. This slide is intentionally left blank
  • 23. OWASP BENELUX - 2011 1 - State founded Summary : How is value being determined • Popularity of OS and Application • Reliability of Exploit • Complexity of Access (Remote, Local) • Privilege Level obtained (root, admin, user) / Integrity Level gained • Sandbox bypass and exploit mitigation bypass capability • Tactical or Strategical Operations planned or ongoing (“Operations” as in Military speak) • Special cases likely dealt with on a case by case basis • (“We need an exploit for XYZ for Operation “Stuxnet” now..”)
  • 24. OWASP BENELUX - 2011 1 - The shift of Vulnerability Markets Prices – What prices are being paid ?  Who pays the most : 1. Governments (Direct Buyer) 2. Commercial (ZDI, VPC..) 3. Organised Crime  Survey based on input of 25 vulnerability sellers : Source: unifysecurityresearch survey (based upon 25 vulnerability sellers) – Analysis by Jason Steer Above 30K USD Stay unknown with no Patch
  • 25. OWASP BENELUX - 2011 1 - The shift of Vulnerability Markets Prices – More Data • Probably unreliable Dataset : Vulnerability/Exploit Value Source “Some exploits” $200,000 - $250,000 Gov’t official referring to what ”some people” pay Significant, reliable exploit $125,000 Adriel Desautels, SNOSoft Internet Explorer $60,000 - $120,000 H.D. Moore Vista exploit $50,000 Raimund Genes, Trend Micro “Weaponized exploit” $20,000-$30,000 David Maynor, SecureWorks ZDI, iDefense purchases $2,000-$10,000 David Maynor, SecureWorks WMF exploit $4000 Alexander Gostev, Kaspersky Microsoft Excel $1200 Ebay auction site Vendors offer : Google up to $3177 Google bug bounty program Facebook up to $1000 Facebook bug bounty program Mozilla $500 Mozilla bug bounty program Microsoft 0$ Data Source: Charlie Miller + small parts Zoller
  • 26. OWASP BENELUX - 2011 1 - The shift of Vulnerability Markets Intelligence Feedback  This slide included examples of zero-day vulnerabilities for which we have strong evidence to suggest that they have been sold This slide is intentionally left blank
  • 27. OWASP BENELUX - 2011 1 - The shift of Vulnerability Markets Intelligence Feedback This slide is intentionally left blank
  • 28. OWASP BENELUX - 2011 1 - The Consequences Your IPS Your SIEM Your AV Your Firewall Their 0-Day Patch Management
  • 29. OWASP BENELUX - 2011 The split Name → Attacker Class Surface Area → Amount Targeting Opportunists Examples : Anonymous Targeted Examples : Professional Hackers Digital Mercenaries Opportunists Examples : Script Kiddies, Mass Malware, Worms, Bots, State founded Examples : APT, Industrial Espionnage / Nations 1 2 Name → Attacker Class Surface Area → Amount Targeting Opportunists Examples : Anonymous Targeted Examples : Professional Hackers Digital Mercenaries Opportunists Examples : Script Kiddies, Mass Malware, Worms, Bots, State founded Examples : APT, Industrial Espionnage / Nations 1 2 Evolution Money / Physical Assets of Value Name -> Business Asset Surface Area -> Value to the Business Credentials / Identities / Money Examples : Customer Data, Banking Data Intellectual Property / Data Examples : RSA, Northrop, Stuxnet Reputation / Damage / Insurance Examples : Sony
  • 30. OWASP BENELUX - 2011 2 - Mass Market  Example: Organised Crime  Interested in the Mass  Mass infection, Mass theft of Credentials  Increases the likelihood that an exploit works  Rarely buy 0day, but pick up that is left behind  Increase chances of compromise through mass distribution  Interested in compromising lot of hosts  Create Botnets / Infect Hosts  Spam  Steal identities and money  Steal banking credentials  Data shows that they are Opportunists (They are after the Mass) 2 Name → Attacker Class Surface Area → Amount Targeting Opportunists Examples : Anonymous Targeted Examples : Professional Hackers Digital Mercenaries Opportunists Examples : Script Kiddies, Mass Malware, Worms, Bots, State founded Examples : APT, Industrial Espionnage / Nations 2
  • 31. OWASP BENELUX - 2011 2 – Mass Market 2 2
  • 32. OWASP BENELUX - 2011 2 - Mass Market • Total number of Vulnerabilities (2010, Est.) • To avoid Mass malware like “SpyEye, Zeus, Gozi...” you needed to address the following amount of Vulnerabilities : Rawdatasource:Contagio AnalysisinspiredbyDanGuido 2009 20112010
  • 33. OWASP BENELUX - 2011 2 - Mass Market Raw Data source: Contagio * includes different versions 1 1 4 3 15 15 10 19 24 4 0 5 10 15 20 25 2000 2003 2004 2005 2006 2007 2008 2009 2010 2011 Total # of unique Vulnerabilities in 54* Exploit kits
  • 34. OWASP BENELUX - 2011 Summary We can conclude that, there are differences in motivations, sophistication and typical targets groups:
  • 35. OWASP BENELUX - 2011 The implications  We may not like it, yet we have to face the fact the threat landscape has changed and this poses a concern for those that have to defend against it.  “Penetrate and Patch” is not adequate (it has never been)  Defenses must be :  Designed and built around the assumption that they fail (Sandbox, Exploit mitigation)  Built around the concept of “Reduced attack surface”  Have multiple layers of generic defence mechanisms (sandboxes)  Limit the impact of vulnerabilities  Reduce the likelihood of successful exploitation  Raise the bar (more effort required)  Work generically and not as a one time fix (patch)
  • 36. OWASP BENELUX - 2011 Mitigations / Consequences  Adapt you Governance approach to the new Threat Landscape  One option: An Attacker Centric Model  Create a Model around different Threat Agents and Classes :  Decide on which classes of Attackers you want to protect an Asset against (Business Value, using as example the Attacker Pyramid)  Adapt Audit requirements (Assurance Concept) and Development requirements (SDLC) to the level above  Adapt Framework to the changes  Contractually enforce SDLC when in-sourcing s oftware development  Benefits : Less money “wasted” on assets of low value, more flexibility, better time to market.  Benefits : Higher Assurance on Assets that are worth protecting  This is in line with ISO/IEC 27034-1:2011 Name → Attacker Class Surface Area → Amount Targeting Opportunists Examples : Hacktivists Targeted Examples : Professional “Hackers”, Digital Mercenaries Opportunists Examples : Script Kiddies, Mass Malware, Worms, Bots, State founded Examples : APT, Industrial Espionnage / Nations
  • 37. OWASP BENELUX - 2011 Mitigations / Consequences  Example : OWASP Application Security Verification Standard  4 Verification Levels, released in 2009  Currently appears to have a low adoption rate  We strongly recommend to look into it  Depending on the Verification Level the Scope, Requirements and controls change according to the targeted Verification Level  Uses a “Positive” approach to verification  Exhaustive list of controls to check for on each level  Allows for remediation plans to meet Verification Standard after initial test  Quick retesting possible  Detailed Reporting Guidelines https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_S tandard_Project
  • 38. OWASP BENELUX - 2011 Mitigations / Consequences  Attacker centric risk management  May revolve around the concept of Assurance Level  Depending on the Level of Assurance against a certain type of attacker, a different set of requirements, controls and scope are required to be covered.  Let’s face it - there is no assurance in an automated Web application Scan, and there is only some assurance in a manual Web application Test.  Benefits :  Budget assurance at an early stage  Suitable Level of Assurance per Application  Permits Risk based management on Applications/Architectures  Mature way of Assessing Security of Applications
  • 39. OWASP BENELUX - 2011 Mitigations / Consequences • For Web Applications, the concept could look like : 39 Assurance Level 1 Automated Manual (Verification of Automated findings only) TechniquesScope Manual Inspection Level 1 + Assurance Level 2 Assurance Level 3 Level 2 + Database Audit Source Code Review Assurance Level 4 Architectural Review Level 3 +
  • 40. OWASP BENELUX - 2011 Mitigations / Consequences • (cont.) 40 Assurance Level 1 Automated Manual (Verification of Automated findings only) TechniquesScope Manual Inspection Level 1 + Assurance Level 2 Assurance Level 3 Level 2 + Database Audit Source Code Review Assurance Level 4 Architectural Review Level 3 + Suitable to provide Assurance against : Unsophisticated Opportunistic Attackers Limitations : Does not cover application Logic Suitable to provide Assurance against : Targeting Opportunists such as attackers with open source attack tools. Suitable to provide Assurance against : Determined attackers who are skilled and motivated focusing on specific targets including using purpose-built attack tools Suitable to provide Assurance against : Determined and Professional Attackers – Potentially State funded Attackers
  • 41. OWASP BENELUX - 2011 Thank you for your Attention